Re: problem statements...

[RJ Atkinson <rja@extremenetworks.com>]

It seems to me that the needs are:
	- distribution of public keys (preferably also "signed keys" or
		"public key certificates").
	- ability to authenticate the binding of a given public key
	  with the identity the key is associated with.

If one distributes signed public keys (whether or not formally 
'certificates'),
then one can use signature validation to authenticate the (key, identity)
binding.

It is NICE if a given certificate/signed-key can have multiple 
authenticating
signatures bound to it -- because that increases the probability of someone
having knowledge of at least one of the keys useful for signature 
verification.

However, whether or not one uses DNS, I don't think there is ANY way
to get around the need to configure at least one public key (e.g. a
key used for signature/certificate validation) manually on a device.

(and I'm not being super-precise with terminology here, so be gentle :-)

Ran
rja@inet.org